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(54) Method and product for generating electronic tokens 



(57) A method of and a product for generating elec- 
tronic monetary tokens that support off-line transactions 
while preventing double -spending. Generation of elec* 
tronic token halves by a financial servk:es provider be- 
gins in response to a request from a buyer to generate 
electronic monetary tokens to be used with an identified 
seller. First, the financial services provider generates a 
muttipliclty of electronc monetary tokens (1014). Sec- 
ond, the provkJer splits each electronic monetary token 
into two electronic token halves (1020. 1022) and asso- 
ciates with each the same serial number (1024). These 
electronic token halves when combined recreate the 
electronic monetary token from which they were gener- 
ated, but by themselves neither electronic token half has 
any value. Nor can either electronic half by itself be used 
to create the electronic monetary token withoul the to- 
ken half's mate. After splitting all of the electronic nrxDo- 
etary tokens, the sen/ices provider assigns a half of 
each electronic token to the seller (1026) and the other 
half of each electrons token to the buyer (1028). The 
buyer and seller can now engage in multiple transac- 
tions off-line of the financial services provider. 
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Description 

The present invention relates to a method and prod- 
uct for generating electronic tokens for transactions be* 
(ween parties. 

David Chaum proposed one ol the earliest digital 
cash models in •Security Without Identification: Trans- 
action Systems to Make Big Brother Obsolete.' Com- 
munication of the ACM. Vol. 28. No, 10. October 1985. 
pp. 1030-1044. Chaum's efforts were foltowed by oth- 
ers, including Okamolo and Ohla. According to Okamo- 
to and Ohta. an ideal digital cash system possesses six 
properties: 

1 . Independence • The security of ideal digital cash 
does not depend upon physical location. 

2. Security - Ideal digital cash cannot be copied and 
used again; tn other words, double spending can be 
prevented. 

3. Off-line payment. A buyer can buy goods and 
services from a seller off-line of a financial services 
provider. 

4. Transferability. Ideal digital cash can be trans- 
ferred to others. 

5. Divisibllrty. A piece of digital cash in a given 
amount can be broken into smaller pieces of lesser 
value. 

6. Privacy. The privacy of users is protected so that 
no one can trace the relationship between a buyer 
and her purchases. 

Okamoto and Ohta proposed a protocol that provid- 
ed all six properties in their paper Universal Cash, Ad- 
vances in Cryptology - CRYPTO '91 Proceedings, Ber- 
lin: Springer- Veriag. 1992, pp. 324-337. According to 
their protocol the data requirement for a single purchase 
is several nrvegabytes. Additionally, the protocol requires 
substantial computation per transaction. Other digital 
cash s/stems fail to provide ofl-Iine transactions, requir- 
ing that at least one other party, besides the buyer and 
seller, be on-line. Still other digital cash systems permit 
off-line transactions, but fail to provide security because 
they can only detect double-spending after it has oc- 
curred. 

For obvious reasons digital cash systems particu- 
larly interest businesses operating on the Internet and 
WorkJ Wide Web. These businesses include many rel- 
atively new types of businesses, such as on-line news- 
papers, print on demand sen/ices, digital libraries, and 
database services, like Nexus/Lexis^ and Dialog^. 
Additionally, some obsen^ers anticipate that new docu- 
ment services will be provided via the World Wide Web, 
including file converson and document summarization. 
The cost per transaction for all of these goods and serv- 
ices is likely to be very slight, tenths of a cent to a few 
cents. For this reason such transactions arc called mi- 
crotransactions. The size ol microlransactions makes 
them very sensitive to transaction overhead, both in 



terms of data requirement and computational cost. 

The invention thus addresses problems that arise 
in electronic payment systems that employ electronic to- 
kens. As noted above, some conventbnal techniques 
s require substantial computation per Iransaclton or sub- 
stantia! data storage requirements, making them im- 
practical for microtransacttons. Others do not permit 
transactions to be performed between a buyer a.nd a 
seller without a third party on-line, such as a bank or 
10 other financial services provider. Yet other techniques 
do not allow for detectbn of double spending until after 
it has occurred. And other techniques do not allow an- 
onymity of a buyer. 

The invention alleviates these problems by provid- 
'5 ing techniques that split an electronic token into other 
items of data that can be distributed and that, when com- 
bined, recreate the electronic token that was split The 
electron k; token can be split, for example, into two other 
items of data, referred to as 'halves', one for a seller 
20 and one tor a buyer. Then, when the buyer provides its 
half to the seller, the seller can combine the two halves 
to obtain an electronic token with a monetary value. 

These techniques are advantageous because they 
support microtransaclions. and can be implemented 
25 with very snr^all costs per transaction, both in computa- 
tion and in data storage required per microtransaction. 
The techniques allow purchases to occur off-line in re- 
lation to a bank or other financial services provider is- 
suing the electronic tokens. The techniques can also be 
30 used to prevent double spending of electronic tokens; 
lor example, a bank or other financial services provider 
can keep track of which recreated electronk; tokens 
have been spent, and prevent double spending. The 
techniques can also be implemented in a way that pro- 
35 vdes some anonymity to users of electronic tokens. 

In ono aspect of the invention, there is provided a 
method of generating electronic tokens forlransactions 
between a set of two or more parties, the method com- 
prising: a) generating two or nnore electronk: tokens; and 
^ b) splitting each electronic token into a set of electronic 
token items that includes one electronic token item for 
each of the set of two or more parties; all of the electronic 
token items in each set having a same unique identifier, 
each set of electronic token items recreating the elec- 
^ Ironic token when combined together. 

In another aspect of the invention, there is provided 
a product for generating electronic tokens for transac- 
tions between a set of two or more parties, the product 
comprising: generation moans for generating two or 
so rnore electronic tokens; and splitting means for splitting 
each electronic token into a set of electronic token items 
that includes one electrons token item for each of the 
set of two or more parties; ail of the electronic token 
items in each set having a same unique identifier, each 
55 set ol electronic token items recreating the electronic 
token when combined togelhor. 

The parties can include a buyer and a seller, and 
the electronic tokens can be split into halves, one to be 
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delivered to each party, such as by electronic transmis- 
sion. 

The invention provides a method for generating 
electronic token hatves that can be combined to create 
an electronic rronetary token that will be honored by a 
financial services provider. Using these electronic token 
halves, the buyer and seller may engage in transactions 
off-line of the financial servces provider, while stiti pro* 
vidtng security against double spending. These elec- 
tronic token halves are well suited to use in microtrans- 
actions because of their small data requirement and lim- 
ited computational cost per microtran section. 

According to one embodiment, generation of elec- 
tronic token halves by a financial services provider be- 
gins in response to a request from a buyer to generate 
electronic monetary tokens to bo used with an idontttiod 
seller. First, the financial services provider generates a 
multiplicity of electronic monetary tokens. Second, the 
provider splits each electronic monetary token into two 
electronic token halves and associates with each the 
same serial number. These electronic token halves 
when combined recreate the electronic monetary token 
from which they were generated, but by themselves nei- 
ther has any value. Nor can either electronic half by itself 
be used to create the electronic nrKtnetary token without 
the token halts mate. After splitting all of the electronic 
monetary tokens, the financial services provider assigns 
a half of each electronic monetary token to the seller 
and the other half of each electronic monetary token to 
the buyer Upon receipt of their electronic token halves 
the buyer and seller can engage in multiple transactions 
off-line of the financial services provider. Because each 
electronic token half cannot be used by itself to recreate 
the electronic monetary token it partially represents, the 
buyer can transmit electronic token halves without first 
encrypting them. Thus, there is little computational cost 
per microtraneaction to the buyer. Additionally the data 
requirement per microtraneaction is also small, because 
the electronic token half can be represented in as few 
as approximately 20-500 bytes. Upon receipt of an elec- 
tronic token half, the seller can protect himself from dou- 
ble spending attempts using the session serial number 
associated with the reconstructed electronic monetary 
token. The computational cost to the seller per micro- 
transaction is also small. 

The invention will now be described, by way of ex- 
ample, with reference to the accompanying drawings, 
in which: 

Figure 1 illustrates a conomunications system; 
Figure 2 illustrates a method of requesting electron- 
ic tokens for purchases with a selected seller; 
Figure 3 illustrates a method of forwarding a request 
tor electronic tokens; 

Figures 4Aand 4B illustrate a method of generating 
and splitting electronic tokens; 
Figure 5 illustrates a seller's response to receipt of 
two electronic purses, each including a set of elec- 



tronic token hah/es; 

Figure 6 illustrates a buyer's response to receipt of 
an electronic purse; 

Figure 7 illustrates initiation of a microtransactton 
5 off-line Irom a financial services provider; 

Figure 8 illustrates completion of a microtransaction 
off-line from a financial sen/ ices provider; 
Figure 9 aiustrates a nrtethod of redeeming electron- 
ic tokens; and 

10 Figures lOAand 10B illustrate a method of redeem- 
ing unspent electronic token halves. 

Figure 1 illustrates in block diagram form commu- 
nications system 15 in which an embodiment can be im- 
'5 plemented by executing instructksns 100, 500, and 
1000. Instructions 100. 500. and 1000 altor the opera- 
tion of communications system 1 5, allowing buyers and 
sellers within the system to engage in many electronic 
microtransactions off-line of a financial services provid- 

^0 er, while still preventing double-spending. In particular, 
as illustrated in Figures 4A and 4B. instructions 1000 
enable a financial services provider to generate elec- 
tronic monetary tokens that can be spent off-line of the 
provider, while still preventing double -spending. Briefly 
described, a financial sen/ices provider generates a 
number of electronic monetary tokens, divides each of 
these in half and assigns a serial number to each pair 
of electronic token halves. The financial sen/ ices pro- 
vider then gathers the electronic token halves into two 

30 electronic purses and gives one purse to a seller and 
the other to a buyer. This is analogous to printing a dollar 
bill, cutting the bill in half and giving one half to the buyer 
and the other to the seller. The buyer may then make a 
nunriber of off-line purchases from the seller. For each 

35 transaction the buyer presents an electronic token half. 
The seller can detect doubte-ep ending attempts by the 
buyer off-lino of the financial services provider using the 
serial number of the proffered electronic token half. 
Prior to a more detailed discussion of the present 

^ method, consider Figure 1. Communications system 15 
couples together, via telephone lines 19 and telephone 
system 20. buyers 16. sellers 17, and financial service 
providers 1 B or banks. For the sake of brevity in the fol- 
lowing discussion, the term 'bank' will be used to refer 

4^ to both banks and financial sen/ices providers, (also re- 
ferred to as FSNs). Communications system 15 enables 
both communicatksn between buyers 16, sellers 17 and 
banks 16. as well as microtransactions between buyers 
16 and sellers 17 off-line of banks 18. 

&o A buyer-seller pair complete an off-line microtrans- 
action by combining two halves of an electronic token. 
As used herein, an 'electron k: token* is a group of elec- 
trically represented bits, whch can be electronically 
transmitted and stored, and that can be used for a trans- 

55 action between parties. For example it can have some 
agreed upon monetary valuo that will be honored by a 
bank 18. 

'Splitting* an electronic token means performing an 
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operation that uses ihe electronic token to produce two 
or more items of data that are only certatn to include all 
the tnfornnation in the electronic token when taken to- 
gether. For example, if an electronic token is split into 
two items of data, the two items can be refeued to as 
■halvesV 

Conversely, an operation "combines' items of data 
from a splitting operation if the operation uses the items 
of data to produce an electronic token that is the same 
as the electronic token that was split. A combining op- 
eration may be said to "recreate' the electronic token. 
If the electronic token that was split is a secret, all of the 
items of data from the splitting operation must be used 
by a combining operation in order to recreate the elec- 
tronic token and thus obtain the secret. 

A "serial number' is a number that uniquely identi- 
fies an item of data within a group of items of data. More 
generally, a 'unique identifier' could be a serial number 
or any other kind of value that uniquely identifies an item 
of data. 

Preferably, to support microtransaciions the value 
represented by each electronic token is small, such as, 
for example, 0.01c. 1c. 25c. $1, or $2. (Note that the 
present invention is not limited to a particular monetary 
unit.) Each electronic token should include a unique se- 
rial number. As used herein, an "eleclronic token half is 
thus a group of electronically represented bits, which 
can be electronically transmitted and stored, that when 
combined with a corresponding electronic half token re- 
sults in an electronic token. By itself, an electronic half 
token has no value; further, each electronic half token 
can only be combined with a single, corresponding elec- 
tronic half token. 

Any person or entity purchasing goods or service 
via communications system 15 using electronic token 
halves is a buyer 16. Each buyer may communicate with 
solksrs via smart card 40 alone, or uso smart card 40 in 
combination with computing device 22. Smart card 40 
enables buyer 16 to communicate with sellers 17 and 
banks 18 by storing electronic token halves and, prefer- 
ably, the buyers private key. During microtransaction in- 
Itlatton. described below, smart card 40 may be inserted 
into a seller's smart card scanning device, or the buyer's 
computing device 22, to electronically sign, seal and un- 
seal documents as necessary, as well as to receive and 
store electronic tokens. Buyer 16 may use smart card 
40 to pay for microtransactions by using smart card 40 
by inserting it into a payment device provkjed by a seller 
1 7. such as for example, a parking meter or a telephone 
booth. Alternatively, buyer 16 could pay seller 17 for 
goods delivered via the Internet by inserting smart card 
40 into computing devce 22. To provide this functional- 
ity, smart card 40 is small and portable, preferably about 
the size of a credit card, to albw it to be easily transport- 
ed in a purse or pocket. Smart card 40 includes a proc- 
essor and solid state memory, not illustrated. One do- 
vice that might be used to realize smart card 40 is the 
iPower PCMCIA(l) card produced by National Semi- 



conductor Corporation of Santa Clara, Caitlornia. Alter- 
natively, flash memoiy cards may be used to Implement 
a smart card 40 just for storing electronic tokens. 
Each buyer 16 may use smart card 40 in combtna- 
5 tion with computing device 22. Computing device 22 
connects buyer 16 to seller 17 and financial services 
provider 18 va telephone system 22. Typtcaify, comput* 
ing device 22 includes monitor 24 for visually displaying 
information to buyer 16. Computing device 22 also pro- 

10 vides buyer 16 multiple avenues to input data including 
keyboard 26 and mouse 28. Alternately, buyer 16 can 
input data stored on a magnetic medium, such as a flop- 
py disk 30, by inserting the disk into floppy disk drive 32. 
Processor 34 controls and coordinates the operations 

'5 of computing device 22. Processor 34 determines and 
takes the approprtato action in response to each user 
command by executing instructions 1 00 stored electron- 
icalty in memory, either memory 36 or on a floppy disk 
30 within disk drive 32. Typk:alty, operating instructions 

20 (or processor 34 are stored in solkl state memory, allow- 
ing frequent and rapid access to the instructions. Addi- 
tionally, memory 36 stores instructions 100 to enable 
processor 34 to initiate and complete microtransactions 
in conjunction with smart card 40. Instructions 100 may 

25 be written in any computer language, including, but not 
limited to. C++. Python, or Lisp. Semiconductor logic de- 
vices that can be used to realize memory 36 include 
read only memories (ROM), random access rtiemories 
(RAM), dynamic random access memories (DRAM), 

30 programmable read only memories (PROM), erasable 
programmable read only memories (EPROM), and elec* 
trically erasable programmable read only memories 
(E EPROM), such as flash menrories. 

To communicate with sellers 17 and financial serv- 

^ ice provKfers 18. computing device 22 includes a mod- 
utator/dennodulator (rrxxlom) 38 coupled to telephone 
lino 1 g. Modem 38 allows computing device 22 to trans- 
mit and receive electronic information via telephone line 
19. 

^ Alternately, buyers 16 might communicate with 
communications system 1 5 using a less powerful devce 
known as an 'internet appliance." Internet appliances 
have been proposed by companies like Intel, Oracle, 
and Mcrosoft who foresee interest in a simple box, with- 
out a monitor, including little memory or resident soft- 
ware, that would allow consumers to connect to the in- 
temet using their televisions. Buyers 16 would be able 
to use an internet appliance to engage in purchases 
over the World Wde Web provided that the appliance 

so accon^odated smart card 40. 

Each seller 1 7 uses at least one computing device, 
similar to computing device 22, to communicate with tel- 
ephone system 20 via telephone lines 19. Consequent- 
ly, the computing devices used by sellers 17 will not be 

^ described in detail herein. Large sellers may use a com- 
puter nohA/ork • multiple computing devices coupled to- 
gether, and capable of conrimunicating with one another, 
via a sen/er running network software, such as, tor ex- 
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ample, Microsoft NT^ or Banyan Vines™. Wihin com- 
puter memory each seller 17 stores instructions 500 en- 
abling them to sell goods and services to buyers using 
electronic tokens and to detect double-spending of elec- 
tronic tokens. Instructions 500 may be written in any 
computer language, including, but not limited to. C-f+, 
Python, or Lisp. Each seller may also include within its 
computer memory instructions 100 to enable it to buy 
goods and sen^tces using electronic token halves. 

As used herein, a financial services provider or 
bank is any entity with which a buyer 16 has an agree- 
ment for the provision of electronic tokens. Pursuant to 
their agreement, bank IB o^y charge the buyer's elec- 
tronic tokens against the buyer's checking account, sav- 
ings account, credit card, or debit card. Buyer 16 and 
bank IB also agree to use a public -key cryptos/stom to 
communicate with one another and exchange their pub- 
lic keys. This allows buyer 16 to encrypt a message to 
bank 18 with her private key. which bank 18 can later 
decrypt using the buyer's private key and vice versa. 
Sellers 17 also set up accounts with banks, agree to use 
a public-key cryptosystem and exchange public keys. 

Like sellers 17, each bank 18 uses at least one com- 
puting device, like computing device 22 or. more likely, 
uses a computer network to couple to telephone system 
20. Instructtons 1000 for generating, tracking, and re- 
deeming electronic tokens are stored within the memory 
of the bank's computing device or computer network. 
Instructions 1000 may be written in any computer lan- 
guage, including, but not limited to. C++. Python, or Lisp, 
for example. 

The present embodiment amortizes the cost of a 
connection vyith bank 18 over several microtransactions 
by generating in a single connection two sets of elec- 
tronic token halves that can be spent off-line of bank 18. 
while still protecting sellers 1 7 against double-spending. 
Figures 2-6 describe the interaction between buyer 16. 
seller 17, and bank 18 for generating the two sets of 
electronic token halves prior to initiating mcroiransac- 
tions between a particular buyer 16 and seller 17. 

Prior to engaging in any microtransaclion, buyer 16 
selects a seller 1 7 whose goods and/or services the buy- 
er would like to purchase, as well as determining the 
amount of money likely to be adequate for a number of 
purchases over a period of time. Buyer must determine 
the seller with wftom she wishes to do business because 
the electfonk: token halves she will receive from her 
bank 18 will not be arbitrarily transferable • she will be 
able to spend her electronic token halves only with that 
one seller 17. 

Having selected a seller 17. buyer 16 is ready to 
engage in process 101 illustrated in flow diagram form 
in Figure 2, which is a portion of instructions 100. Using 
smart card 40 inserted, during step 102 buyer 16 gen- 
erates a first plain text electronic message, intended lor 
her bank, indicating her identity, the seller selected to 
do business with, the number of electronic tokens de- 
sired, and their values. Subsequently, during step 104 



buyer 16 uses smart card 40 to electronically sign the 
first electronic message using the buyer's private key. A 
number of techniques can be used to digitally sign the 
plain text message, which affect how the signature is 
5 later authenticated by a bank. Buyer 16 could encrypt 
the entire message using her private key. but this is com- 
putationally intensive. A less computationally intense 
and preferable approach would be to take the plain text 
message and generate a one-way hash from it using a 

10 function agreed upon with bank 18. such as PGP or 
MD5, for example. Buyer 16 then encrypts just the hash 
using her private key Associated with the plain text mes- 
sage, the encrypted hash senses as the buyer's digital 
signature. In the following discussion, we will assume 

IS this is the approach taken by both buyer 16 and bank 
16, ovon though any digital signature tcchniquo couU 
be used equally well in the present embodiment. 

Having signed her message, during step 1 06 buyer 
16 seals her message using her smart card 40. Again, 

20 buyer 16 may use a number of approaches to seal her 
message. Buyer 1 6 couW encrypt the entire signed mes- 
sage using the bank's public key and a public key algo- 
rithm like RSA. for example, but this Is computationally 
intensive. Alternatively and preferably, buyer could seal 

2S her message by generating a sessbn key using a ran- 
dom number generator, encrypt the signed message us- 
ing the session key and a symmetric algorithm, like 
IDEA, for example, then encrypt the session key using 
the bank's public key and append the encrypted sesskxi 

30 key to the encrypted signed message. 

In box 108. buyer 16 takes the signed and sealed 
first electronic message and attaches it, or appends it 
to, a second electronic message directed to the selected 
seller 17. Buyer 16 indicates her bank and its address, 

^ to which the enclosed, signed, and sealed electronic 
message should be forwarded. Note that tho message 
need not indicate the buyer's identity to seller 17, pro- 
viding anonymity to buyer 16. and preventing sellers 
from building a dossier about buyer 16. When the sec- 

^ ond electronic message is complete, buyer 16 transmits 
it to the selected seller 17 in box 110. Now. when done 
in box 112, buyer 16 awaits receipt of electronc token 
halves. 

Figure 3 illustrates in flow diagram form the re- 
^ sponse 501 of seller 17 to receipt of the second elec- 
tronic message. Instructions 501 are a portion of instruc- 
tions 500. Using its computer network, during step 502 
seller 1 7 identifies the bank 1 8 (FSN) to whom the buy- 
er's first electronic message should be lonvarded. 
so wthout any idea of the identity of the buyer, seller 17 
then forwards the buyer's first electronic message to the 
identified bank. During step 504 seller 17 forwards the 
messages via telephone system 20 using the seller's 
computer network. Now, tike buyer 16, seller 17 awaits 
55 receipt of electronic half tokens. 

Figures 4A and 48 illustrate in flow diagram form 
response 1001 of bank 18 to a request for electronic to- 
kens. Instructions 1001 are a porlion of instructions 
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1000. Bank 18 begins with step 1002 by using its com- 
puter network to unseal the signed and sealed message 
from buyer 16. Bank IB unseats the message by de* 
crypting the session key using its private key and using 
the session key to decrypt the message. This reveals 
the buyer's plain text message and her signed hash. 
During step 1004, bank IB determines from the plain 
text who the asserted buyer is. Subsequently, during 
step 1008 bank 18 attempts to determine whether the 
buyer is who she says she is by authenticating her digital 
signature. Bank IB does so by decrypting the signed 
hash using the buyer's public key and comparing the 
resulting hash to its own hash of the plain text. If the test 
in step 1010 determines that the decrypted hash and 
that generated by the bank do not match, the buyer is 
not who she says sho is and bank 18 will not generate 
any electronic tokens. Instead, during step 1012 bank 
1 8 informs the seller 1 7 and/or the identified buyer that 
no electronic tokens can be issued. On the other hand, 
if the two hashes match, bank 18 feels secure that the 
buyer is who the plain text asserts she is. In response, 
bank 18 advances to step 1014 to begin the process of 
generating electronic token halves. 

Bank 18 uses its computer network and generates 
the desired number of electronic tokens in the denomi- 
nations desired, as indicated by the buyer's plain text 
request, during step 1014. As discussed previously, 
each electronic token is a group of electrk:ally represent- 
ed bits: an electronk: token could, for example, be a 
string of bits whose information includes the value of the 
token and a unique serial number. The serial number 
assigned to each electronic token should not be unique 
only to the particular pair of buyer and seller, it should 
also be unique as to every other electronic token ever 
issued by the bank 18. Additionally, to prevent anyone 
from determining the order in which buyer 1 6 makes hor 
purchases, bank 18 may not wish to assign serial num- 
bers sequentially. The information included in the elec* 
tronic token also tncludes the kientity of the bank, so 
that seller 17 will know with which bank the electronic 
token can be redeemed. Next, bank 18 digitally signs 
each electronic token using its private key and associ- 
ates Its digital signature with the electronic token. This 
can be done using the same technk^ues discussed pre- 
viousty with respect to step 1 04. This results in a signed 
string of bits for each electronic token, which we will des- 
ignate as Sqp(J). The length of Sqp(T) determines the 
length of the electronic token halves to be generated 
subsequently, and so sets the data requirement per mi- 
crotransaction for the buyer. To support microtransac* 
tions effectively, the length of the electronic token and 
its token halves shoukl be such that they can be repre- 
sented in about 20-500 bytes. Having generated the 
electronic tokens, bank 18 is ready to begin the process 
of splitting them into two sets of electronic token halves, 
an iterative process that begins with stop 1016. 

Many of the advantages attainable by implementing 
the present inventbn result from splitting the electronic 



tokens in half using secret splitting. Secret splitting splits 
a secret, in this case the value of electronic token, into 
multiple pieces. None of the panics to the secret can 
learn the secret without all cooperating with one another 
5 to combine their secret pieces. Each secret piece is val- 
ueless on its own. as well as meaningless to anyone 
without all the other secret pieces. Because each elec- 
tronic token half is valueless by itself, buyer 16 is pro- 
tected from unauthorized redemptions of electron c to- 
kens by seller 17. When session serial numbers are 
added to the electronc token halves, both bank 16 and 
buyer 17 are protected from double spending. 

Referring again to Figures 4A and 4B. for simplcity 
steps 1018-1024 show only one electronic token being 

^5 split in half at a time; however, the present invention is 
consistent with many electrons tokens being split at 
once. First, during step 1018, bank 18 selects one of the 
signed electronic tokens to be split using secret splitting. 
Other methods of sptitting the electrons tokens may be 

20 used consistent with the present Invention. During step 
1020, using its computer network bank 18 generates a 
first token half for the buyer This is done by generating 
a random electronic string P whose bit length is equal 
to that of the selected signed token. The random string 

25 p is then used to create the second token half for the 
signed electronic token during step 1 022. Using its com- 
puter network, bank IB generates the second electronic 
token half, O. by performing a bitwise XOR of Sgp (T) 
and P. resulting in O. Neither the first electronc token 

30 half. P. nor the second electronic token half. Q. have 
any value of themselves; however, they can be com- 
bined together by a bitwise XOR to obtain Sbr (T)- This 
prevents seller 17 from redeeming tokens without the 
consent of buyer 16, as well as protecting sailer 17 from 

35 double-spending by buyer 16. Note also, that buyer 16 
can use her etectronc tokens only for purchases with 
the selected seller. If she wishes to do business with 
another seller, she must obtain another, different set of 
token halves. 

^ Having split the signed electrons token, during step 
1024 bank 18 assigns and associates a session serial 
number with both token halves P and Q to Identify the 
token halves that should be connbined together. Each 
session serial number needs to be unique as to the en- 

45 tire set of electronc tokens being generated during this 
nr^crotransaction, but need not be unique as to all mac- 
rotransactcns between this seller and buyer because 
before a new macrotransaction can be initiated the elec- 
tron ic token hah^es from the previous microtransaction 

so are flushed. That done, bank 18 returns to step 1016 
and branches through step 1018-1024 until all of the 
signed electronic tokens have been split in half. When 
ail of the signed electronic tokens have been split in half, 
bank 18 advances to step 1025. 

55 During step 1025, in anticipation of the future re- 
demption of the electronic tokens just gone rated bank 
18 makes an entry to a database in its computer mem- 
ory. Bank 18 uses this database to track valid, unro- 
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deemed electronic tokens. Bank 18 makes an entry in 
this database for every buyer-seller pair with outstand* 
ing. valid electronic tokens. Bank 18 assigns a unique 
tdentilier, which we shall call a purse identifier, to the 
group of electronic tokens just generated. Bank 18 then 
notes the purse identifier in its database entry for this 
buyer-seller pair, as well as all of the session serial num* 
bers of those electronic tokens. Bank 18 also stores the 
address of seller 1 7 in the database entry in case buyer 
16 should wish to redeem unspent electronic token 
halves. That done, bank 16 advances to step 1026 Irom 
step 1025. 

With step 1026 bank 16 is now ready to begin sep- 
arating the electronic token halves into a seller*& purse 
and a buyer's purse. Bank 18 may assign to the seller 
all of the first token halves. P, all of the second token 
halves, Q, or some combination of the first and second 
electronic token halves, without effecting the present 
method, so long as neither the seller, nor the buyer, re- 
ceives both halves of an electronic token. To the seller's 
purse, bank 18 adds the purse identifier generated dur- 
ing step 1 026, which the seller uses during communica- 
tions with respect to electronic tokens from this purse. 
Bank 18 then signs and seals the seller's purse. Bank 
18 then assigns the remaining token halves to the buy- 
er's purse during step 1028, adds the purse identifier, 
and seals these token halves with the buyer's public key. 
Finally, during step 1030. bank sends both electronic 
purses to the selected seller 17 via telephone network 
20, with an indication of which electronic purse belongs 
to whom. (Note that bank 18 need not send the buyer's 
etectronk: token halves care of seller 17 if buyer 16 is 
on-line, rather than just using her smart card 40.) Bank 
16 need not be involved in the business between buyer 

16 and seller IB. until one of the parties wishes to re- 
deem the electronic tokens. 

Figure 5 illustrates in flow diagram form the re- 
sponse 520 of seller 17 to receipt of the two electronic 
purses. Response 520 is a portion of Instructions 500. 
After determining which electronic purse is his, during 
step 522 seller 1 7 unseats his electronic purse using his 
computer network and his private key Seller 17 stores 
the electronic token halves and purse identifier so re* 
vealed in computer memory in a location associated 
with buyer 16 during step 524. During step 526. seller 

17 forwards to buyer 16 her electronic purse via tele- 
phone system 20. Seller 17 is now prepared to transact 
business with buyer 16 off-line of bank 18. 

Modifications to response 520 to accommodate re- 
ceipt by seller 1 7 of only his electronic purse will be ob- 
vious to those of ordinary skill in the art. 

As illustrated in Figure 6. in flow diagram form, the 
response 130 of buyer 16 to receipt of her electronic 
purse is nearly identical to that of seller 17. Response 
1 30 is a portion of instructnns 100, and is executed by 
buyer 16 using her smart card 40. The primary differ- 
ence between the response of buyer 16 and seller 17, 
is that buyer 16 stores her electronic token halves and 



purse identifier in snnart card 40. which is portable and 
can be used independent of computing devk:e 22. Thus, 
buyer 16 can purchase goods and/or sen/ices from sell- 
er 1 7 at one of the seller's places of business or remotely 
5 using computing device 22 and telephone system 20. 
Buyer 16 can now initiate microtransacttons with seller 
17 off-line of bank 18. 

Figures 7 and 8 illustrate the process of a single mi- 
crotransactbn; however, once a buyer-seller pair have 

^0 a corresponding pair of electronic token halves Ihey are 
free to engage in as many microtransactions as the val- 
ue of their electronic token halves permit without the in- 
volvement of bank 18. This amortizes over nnany micro- 
transact on s the computational cost to buyer 16 of sign- 

>5 ing and seating her token request, as well and unsealing 
her token halves. Also amortized over several micro- 
transactk>ns is the seller's computatbnalcostof unseal- 
ing his electronic token halves. In addition to amortizing 
the connection time required for a macrotraruaction 

20 over several microtransactions, the methods of Figures 
7 and 8 keep the computational cost per microtransac- 
tion quite low. The computational cost of each micro- 
transactbn is quite low for the buyer because there in 
no encryption or decryption, signing or sealing per mi- 

25 crotransactton. All buyer 16 need do is transmit each 
electronic token half, each of which is represented by 
about 20-500 bytes per electronc token half. The com- 
putational cost per microtransaction is also quite low for 
seller 17. one private/public decryption per microtrans- 

30 action (checking the bank's signature each time a token 
is combined). This is important given the small value of 
each individual microtransaction to prevent the seller's 
overhead costs from exceeding the amount collected for 
each microtransaction. 

35 Figures 7 illustrates in flow diagram fonm a portion 
150 of instructions 100 for initiating a microtransactkxi 
off-line of a bank. After making her selection and noting 
its price, buyer 16 indicates to seller 17 her choice and 
enables the transmisston of the appropriate number of 
electrons token halves from her smart card 40 to the 
seller's computer network. Note that buyer 16 still re- 
mains anonymous. Having done that, buyer 16 need on- 
ly await delivery of the purchased goods and/or servic- 
es. 

^ Figure 8 illustrates in flow diagram form the re- 
sponse 550 of a seller 17 to receipt of a request for 
goods and/or services that includes electronic token 
halves. Response 550 is a portbn of instoictions 500. 
Seller 17 has two concerns at this point: 1) Is the 

50 buyer attempting to cheat him? and 2) Has the buyer 
offered enough money? Using its computer network, 
seller 17 addresses these concerns one electronk: to- 
ken half at a time with an iterative process that begins 
with step 552. After selecting one of the buyer's elec- 

^ tronic token halves during step 554. seller 17 examines 
the session serial number associated with the sclcctod 
token half during step 556 to determine whether it 
matches that of one of the seller's remaining token 
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halves. If not. then buyer 16 is attempting to double 
spend an electronic token half. In response, seller 17 
returns to step 552 from step 556 to oontinue its exam- 
ination ot the buyer's electronic token halves. On the 
other hand, if seller 1 7 always disposes of all copies of 5 
an electronic token half after successfully combining 
that token hall with one of the buyer's, then seller 17 can 
rest assured that buyer 16 is not attempting to double 
spend an electronic token half when two electronic to- 
ken halves have a matching session serial number. In io 
response to identifying one of his own token halves that 
has a session number matching the selected buyer's to* 
ken hall, seller 17 advances to step 556 from step 556. 

Seller 17 combines the two electronic token halves 
with matching serial session numbers during step 558 '5 
by performing a bitwise XOR. This produces the corre- 
sponding signed electronic token. Sgp^T), revealing the 
plain text of the electronic token and the associated 
bank signature. To authenticate the electronic token, 
seller 1 7 decrypts the hash using bank's public key and 20 
compares the resulting hash to that of the plain text for 
the electronic token. If the two hashes match, seller 17 
considers the electronic token valid. Seller 17 nr^y not 
choose to authenticate every electronic token, choosing 
Instead to authenticate some random subset of all etec- 2$ 
tronic tokens. This reduces the seller's compuiationat 
burden per microtransaction. Seller 1 7 responds to a 
valid electronic token by noting its value and storing it 
In memory for future redemption and advances to step 
559. 30 

During step 559 seller 17 renioves from memory 
any copies of electronic token halves with a serial ses- 
sion number matching that just used to enable detection 
of future double spending attempts. Seller 1 7 now turns 
its attention to any remaining electronic token halves re- 3S 
ceived from buyer 16. So long as any remain, seller 17 
branches through stops 552 through 559 in the manner 
just described. After processing all of the electronic to- 
ken halves transmitted by buyer 16. seller 17 exits step 
552 and advances to step 560. 40 

During step 560 seller 17 examines the sum of all 
ot the electrons tokens resulting from the process of 
steps 552 through 559 to see if that sum is enough to 
pay for the goods and/or services requested by buyer 
1 6. If not, seller 1 7 so informs buyer 1 6 during step 562. ^ 
On the other hand, if the sum is adequate, seller 17 re- 
leases the desired goods and/or services to buyer 16. 
Seller 17 may release them directly to buyer 16 if she is 
present, or in the case of many World Wide Web busi- 
nesses may transmit them electronicaify to buyer 1 6 via so 
telephone system 20. allowing buyer 16 to maintain her 
anonymity. 

After a number of off-tine microtransaction s. seller 
17 may wish to redeem his electronic tokens vnth the 
issuing bank 18. Seller 17 can do so by generating a ss 
plain text oloctronic message identifying himself and re- 
questing redemption of the electronic tokens from the 
identified purse, and signing the request. Seller 17 then 



seals the signed redemption request using the bank's 
public key and sends the request via telephone network 
20 to the bank's computer network. 

Figure 9 illustrates in flow diagram the response 
1050 of bank 18 to a redemption request from seller 17. 
Response 1050 is a portion of instructions 1000. Bank 
18 responds to receipt of a sealed electronic message 
in step 1060 by unsealing the message using its private 
key and revealing the plain text redemption request, the 
purse identifier, the electronic tokens that the seller 
wishes to redeem and the seller's signature. 

At this point, bank 18 has two concerns: 1. Is the 
seller who he purports to be? and 2. Is the seller attempt- 
ing to double spend? Bank 18 addresses the former 
concern by authenticating the seller's signature during 
stop 1061. If the test in step 1062 determines that the 
signature is not authentic, bank 16 will not redeem any 
ot the tokens. On the other hand, if the signature is au- 
thentic, bank 18 turns its attention to the tatter concern, 
double spending, which it addresses one electronic to- 
ken at a time with an iterative process that begins with 
step 1063. 

To detect double spending of an electronic token, 
during step 1064 bank l8compares the token's session 
serial number to sessran serial numbers remaining in 
the database entry for the purse identifier If bank 18 
does not find a match, the seller is attempting to double 
spend the token, and bank 18 will not credit the seller 
for that electronic token. On the other hand, if the serial 
number of the electronic token matches a sess bn serial 
number remaining in the relevant database entry, bank 
18 removes the session serial number of the redeemed 
electronic token from the database entry and advances 
to step 1 066. Bank 1 8 may also detect double spending 
using other approaches. Whatever approach is taken, 
bank 18 needs to ensure that it only honors an oloctronic 
token onco. 

Once bank 18 determines that an electronic token 
is valid, however that Is done, during step 1066 bank 18 
increases the sum due to seller 1 7 by the amount of the 
electron c token. That done, bank 18 continues execut- 
ing steps 1063 through 1066 until all of the seller's elec- 
tronic tokens have been processed. When that occurs, 
during step 1068 bank 18 informs seller 1 7 of the credit 
to be given him and how that credit will be given to him. 

Buyer 16 generates a redemption request for her 
unspent electronic token halves in much the same man- 
ner as discussed previously with respect to seller 17. 
including instead her unspent electronic token halves 
and the purse identifier. Nonetheless, the response of 
bank 18 to a redemption request from buyer 16 differs 
from that of a request from seller 1 7. Bank 1 8 responds 
differently because of Its concern with protecting seller 
17 from double spending by buyer 16, as well as pro- 
tecting itself from double spending by both parties. Brief- 
ly doGcribod, bank 16 protects eollor 17 from any at- 
tempts by buyer 16 to redeem electronic tokens buyer 
16 has already paid to seller 1 7 by requesting that seller 
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17 redeem all of its electronic token halves, spent and 
unspent. Bank 18 then processes the seller's electronic 
tokens prior to redeeming the buyer's unspent electronic 
token halves. 

Figure 10 illustrales in detail the response 1080 of 5 
bank 18 to a redemption request from buyer 16, Re- 
sponse 1080, illustrated in flow diagram form, is a por- 
tion of instructions 1000. For brevity's sake, the steps of 
unsealing and signature authentication have not been 
illustrated. After determining that buyer 16 is who she ro 
says she is. bank 16 notes the purse identifier for the 
unspent electronic token hakes during step 1082. Bank 

18 uses the purse identifier to retrieve the address of 
seller 1 7 from the relevant database entry. Subsequent- 
ly, during step 1084. bank 18 informs seller 17 of the '5 
buyer's rodcmptk>n request and asks seller 17 to return 

all spent electronic tokens and all unspent electronic to- 
ken halves associated with the purse identifier. That 
done, bank 18 awaits receipt of the seller's purse during 
step 1086. 20 

Upon receipt of the seller's purse, bank 1 8 redeems 
the valid electronic tokens during step 1088 using the 
process described previously with respect to Figure 9. 
This enables bank 18 to detect whether buyer 16 is at- 
tempting to cheat seller 1 7 by trying to redeem with bank 25 
18 electronic token halves lhal buyer 16 has already 
paid to seller 17. In the process, bank 16 identifies the 
valid session serial numbers by removing from the rel- 
evant database entry the session serial number of each 
redeemed electronic token. Bank 18 then advances to 30 
step 1090 from step 1088. 

Bank 18tums its attention to redeeming the buyer's 
previously unspent electronic token halves with step 
1090, which bank 18 does one electronic token half at 
a time. Bank 1 8 selects one of the buyer's retumed elec- 3S 
tronic token halves during step 1092 and then compares 
the session serial number of the selected tokon half to 
those session eerial numbers remaining in the relevant 
database entry. If the sessksn serial number is not in the 
database entry, bank 18 will not credit buyer 16 for that 
electronic token. On the other hand, if a matching ses- 
sion serial number is found in the database during step 
1094, bank 18 regards the electronic token half as valid. 
In response, bank 18 advances to step 1096. 

Bank 18 determines the value of the electronic to- <5 
ken being redeemed during step 1096 by combining the 
selected buyer's token half with the seller's correspond- . 
ing token half; i.e.. the seller's token half with the corre- 
sponding session serial number Bank 1 8 does so by 
performing a bitwise XOR of P and Q to produce Sqp so 
(T). Bank 16 then increases the sum due to buyer 16 by 
the face annount of the electronic token. During step 
1098, bank 18 then removes from the relevant database 
entry the serial session number of the electronic token 
just redeemed. Bank 18 also marks as invalid the serial ss 
number included in the electronic token. Aflonftrard, 
bank 18 returns to step 1090. 

Bank 18 continues executing steps 1090 through 



step 1098 by unlit all of the buyer's electronic token 
halves have processed. When that occurs, bank 18 
branches to step 1099 from step 1090. Bank IB then 
inform both buyer 16 and seller 17 the credit due to 
them. 

Sellers 17 may desire authorizations from buyais 
1 6 prior to completing certain microtransactions. For ex* 
ample, a secure library service may want to know that 
the buyer has the necessary security clearance or a pro- 
vkJer of adult materials will want to know that the pur- 
chaser of the material is over 21 years of age. The meth- 
ods previously discussed can be modified to provide au- 
thorizations while still maintaining the anonymity of the 
buyer. Depending on the level of service provided by a 
bank 18. buyer 16 may be able to obtain authorizatkim 
tokon halves from bank 1 6 or nr^y have to obtain those 
from a special authorization sen^ice. Whatever servce 
provides authorizations, buyer 16 wilt have to prove that 
she possesses the characteristics she wishes to assert 
about herself; that she has a certain security clearance, 
or that she is 21 years old. Having proved she possess- 
es the necessary characteristic, buyer can request au- 
thorization tokens from the authorization in substantially 
the same manner discussed previously with respect to 
Figure 2. Upon receipt of the authorization request, the 
authorization service can generate authorization tokens 
and split them in half using the same method discussed 
previously with respect to Figures 4 A and 4B. Authori- 
zation token halves have no authority by themselves - 
they prove nothing in the absence of another authoriza- 
tion tokien half with a matching session serial number. 
Upon receipt of her authorization token halves, buyer 
1 6 can use them to authorize purchases while maintain- 
ing her anonymity using the same methods discussed 
previously with respect to Figure 7. The response 550 
of a seller to a purchase request requiring authorization 
is substantially that discussed previously with respect to 
Figure 8. 

in the foregoing specification, the inventbn has 
been described with reference to specific exemplary 
embodiments thereof. It will, however, be evident that 
varbus modifications and changes may be nnade there- 
to wthout departing from the broader scope of the in- 
vention as set forth in the appended claims. 

The above implementations relate to electronic 
monetary tokens provided by banks or other financial 
sen^ice providers for use between a buyer and a seller, 
but the invention could be implemented with other types 
of electronic tokens provided by other types of entities 
for use between sets of two or more parties for other 
types of transactions. 

The above implementations employ serial numbers 
as unique identifiers of electronic tokens and of items 
produced by splitting electronic tokens, but other types 
of unique identifiers coukJ be used. 

Jho above implementations perform splitting by 
generating a random number then performing an XOR 
operation, but many other splitting techniques could be 
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used. For example, pseudorandom numbers could be 
used rather ihan random numbers, and logical opera- 
tions other than XOR could be used. Funhermore, rath- 
er than performing the splitting operations in a se- 
quence, many eleclronic tokens could be split In parallel. 5 

The above implementations may employ secret 
splitting by splitting secret electronic tokens, but the in- 
vention could also be implemented in situations in which 
the electronic tokens are not secret as such, but are sim- 
ply not othenvise available to the parties to a transac- io 
tion. 

The invention can be implemented in a way that al- 
lows a seller to prevent double spending, but the inven- 
tion could also be implemented In a manner that does 
not prevent double spending. is 

The above implomenlations allow for off-lino trans- 
actions, such as with a buyer using a smart card, but the 
invention could also be implemented lor on-line trans- 
actions, with the buyer on-line and even with a financial 
service provider or other entity on-line. 20 

The above implementations make use of the tele- 
phone system to distribute electronic token items, but 
any other appropriate distribution mechanism could be 
used. 



Claims 

1. A method of generating electronic tokens for trans* 
actbns between a set of two or more parties, the 30 
method comprising: 

a) generating two or rnore electronic tokens; 
and 

b) splitting each electronic token into a set of 3S 
electronic token items that includes one elec- 
tronic token item for each of the set of two or 
more parties; alt of the electronic token items in 
each set having a same unique identifier, each 

set of electronic token items recreating the 40 
electronic token when combined together. 

2. The method ot claim 1 in which each electronic to- 
ken has a first number of bits and in which b) com- 
prises: 45 

for each electronic token creating a first token 
half by generating a random string having the 
first number of bits; 

for each electronic token creating a second to- so 
ken half by performing a bitwise XOR using the 
electronic token and the first token half; and 
for each electronic token associating with each 
token half a serial number, each token half com- 
bining with another token half having a same ss 
serial number to rocroato an electronic token. 

3. The method of claim 2 in which the set of two or 



more parties includes a buyer and a seller; the 
method further comprising: 

c) delivering to the seller a first subset ot the 
electronic token halves, no two of the lirsl sub- 
set of electronic token halves having a same 
serial number; and 

d) delivering to the buyer a second subset of 
the electronic token halves, no two of the sec- 
ond subset of electronic token halves having a 
same serial number 

4. The method of claim 3 further comprising: 

6) delivering a good to the buyer in response 
to receipt of a one of the electronic token halves of 
the second subset if the ono of tho electronic token 
halves from the second subset combines with a one 
of the electronic token halves from the first subset 
to recreate an electronic token. 

5. The method ol claim 4 in which e) comprises: 

combining the two electronic token halves by 
performing an XOR operation. 

6. The method of any of claims 3 to 5 in which b) f urther 
comprises: 

storing in a database entry the serial numbers 
of each pair of electronic token halves. 

7. The method of claim 6, further comprising: 

f) in response to a redemptton request from 
the seller including a first electronic token, detecting 
an attempt to double spend the first electronic token 
using a serial number of the first electronic token 
and the database entry. 

9. The method of claim 6 or 7, further comprising: 

g) in response to a redemption request from the 
buyer including a first electronic token half hav- 
ing a ftrst serial number 
1] redeeming electronic tokens received from 
the seller; 

2) noting as invalid the serial nunobers of the 
electronic tokens received from the seller using 
the database entry; and 

3) detecting an attempt by the buyer to double 
spend the first electronic token half using the 
database entry. 

9. The method of any preceding claim, in which a) is 
performed in response to a request from one of the 
set of parties, the request including proof of an as- 
sertion about the requesting party, each electronic 
token including bits representing the assertion. 

1 0. A product for generating electronic tokens for trans- 
actions between a set of two or more parties, the 
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product comprising: 

genoratton means (18a, I8b. 1014) for gener- 
ating two or mote etectronic tokens; and 
splitting means (18a, I8b. 1016-1024) (or splil- 5 
ting each electronic token into a set of electron- 
ic token items that includes one electronic to- 
ken item for each of the set of two or more par- 
ties: all of the electronic token items in each set 
having a same unique identifier, each set of 
electronic token items recreating the electronic 
token when combined together. 
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